-
Notifications
You must be signed in to change notification settings - Fork 21.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add rename_csp_helper_nonce_attribute actionview configuration
Adds a configuration to rename the csp helper attribute name. It's disabled by default currently until the JS libraries are updated to the new attribute name and Rails can ship with a new default attribute name. Fixes #51580
- Loading branch information
1 parent
af33bef
commit 68a83a2
Showing
4 changed files
with
38 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,15 @@ | ||
* Add a disabled configuration `rename_csp_helper_nonce_attribute` to rename the csp_meta_tag helper nonce attribute name | ||
If enabled, it renames the `content` attribute to `nonce` to avoid certain kinds of value exfiltration attacks. | ||
|
||
``` | ||
app.config.action_view.rename_csp_helper_nonce_attribute = true | ||
<%= csp_meta_tag %> | ||
# renders | ||
<meta name="csp-nonce" nonce="..." /> | ||
# instead of | ||
<meta name="csp-nonce" content="..." /> | ||
``` | ||
|
||
*Niklas Häusele* | ||
|
||
Please check [7-2-stable](https://github.com/rails/rails/blob/7-2-stable/actionview/CHANGELOG.md) for previous changes. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters